AKS Algorithm: Finding shortest nonzero vectors. · 2019. 6. 17. · 12th June, 2019 AKS Algorithm...

12th June, 2019 AKS Algorithm | 1/30

AKS Algorithm: Finding shortest nonzero vectors.

Hilder V́ıtor Lima Pereira

Introduction to lattices and their applications in Computer Science/Cryptography.Doctoral Programme in Computer Science and Computer Engineering

University of Luxemburg.

12th June, 2019


Table of contents

1. Introduction

2. AKS for λ1 ∈ [2, 3)

3. AKS for general lattices


Introduction

SVP:Given a lattice L, the shortest nonzero vector problem (SVP) is theproblem of finding a point v ∈ L \ {0} such that the Euclidean normis minimized, that is, ∀u ∈ L \ {0}, ‖v‖2 ≤ ‖u‖2.


Introduction

Solving SVP:

Algorithms for approximate versions of SVP.

• LLL solves approx. SVP with exponential approximation factorin polynomial-time.

• BKZ solves approx. SVP with polynomial approximation factorroughly in exponential time.

What about AKS?

• It solves the exact version of SVP.

• Exponential time and memory.

• It is a randomized algorithm.

• It outputs the correct answer with overwhelming probability.


Overview

1 Sample 2O(n) random lattice points inside a ball B(0, R).2 Find “centers points” among them, i.e., points close to several

other points.

3 Get new lattice points by computing the difference between thepoints and their centers. (Note that the new points lie inB(0, R′) with R′ < R).

4 Repeat it with those new points unless they are already shorterthan some bound.

5 Output the shortest vector among the remaining ones.


1. How does one sample random lattice pointswithin a ball?

We actually sample them indirectly:

• Sample a real vector x ∈ B(0, R) ∩ Rn.

• Compute y ∈ P(B) (the fundamental region) such thaty − x ∈ L.

• Define z = y − x as the random lattice point.

We compute y as x mod B := x−BbB−1xc, which is a“reduction modulo the basis B”.

Notice that z is the corner of the translated fundamental region thatcovers x.


2. How does one find center points?

We use a procedure known as Sieve:

Algorithm 1: SIEVE

Input: A positive R ∈ R and X := {x1, ...,xN} ⊂ B(0, R)Output: A set C of pairs (i, j) such that xj is the center of xi.

1 C := ∅2 for i = 1 until N do3 if ∃(i′, j) ∈ C such that ‖xi − xj‖2 ≤ R/2 then4 C = C ∪ {(i, j)} ; . xj becomes the center of xi

5 else6 C = C ∪ {(i, i)} ; . xi becomes its own center

Notice that the “centers” are defined by the second entry of thepairs (i, j) in C. For each xi, its center is xj .



LemmaLet R ∈ R>0. For any set of points X = {x1, ...,xN} ⊂ B(0, R), letC be the set returned by SIEVE. Then

(i) C defines at most 5n centers and

(ii) ∀(i, j) ∈ C, ‖xi − xj‖2 ≤ R/2Moreover, (iii) SIEVE runs in polynomial time in the input size.



Proof.Define balls of radius R

4 around each center. Notice that they aredisjoint, because the distance between two centers is bigger than R

2 .Furthermore, their union is contained in B(0, 5R

4 ).Therefore, the number of balls (which equals the number of centers)is at most

vol(B(0, 5R4 ))

vol(B(0, R4 ))= 5n.

Propositions (ii) and (iii) are trivial.

Remember that vol(B(0, R)) = πn/2Rn

Γ(n/2+1) .


AKS for λ1 ∈ [2, 3)

We are almost ready to see the algorithm AKS. Before defining it tothe general case, let’s assume we are working over lattices for which

λ1 ∈ [2, 3).

We will see in the end how to remove this restriction.


Algorithm 2: AKS*, for λ1 ∈ [2, 3)

Input: A basis B of an n-dimensional lattice whose λ1 ∈ [2, 3)Output: A shortest nonzero vector of L(B)

1 R := n ·max ‖bj‖2 + 22 N := 28n logR3 Sample X := {x1, ...,xN} unif. in B(0, 2) ∩ Rn4 Y := {yi := xi mod B : xi ∈ X} ⊂ P(B)5 while R > 6 do6 C := SIEVE(Y )7 for each center yj defined by C do8 Y = Y \ {yj}; X = X \ {xj}9 for each yj in Y do

10 Let yc be the center of yj11 yj = yj − (yc − xc)

12 R = R/2 + 2

13 Return the shortest (yi − xi)− (yj − xj) (among Y and X)


AKS for λ1 ∈ [2, 3)

LemmaThe number of iterations of the while loop in AKS* is at most2 logR0, where R0 is the first value assigned to R.

Proof.Let Rk be the value of R on the beginning of the k-th iteration.Then, we have R1 = R0, R2 = R0/2 + 2, R3 = R0/2

2 + 1 + 2,R4 = R0/2

3 + 1/2 + 1 + 2, etc.In general, Rk = R0/2

k−1 + 2 +∑k−3

i=0 1/2i.For k = dlogR0e+ 1 we have Rk ≤ 1 + 2 + 2 = 5 < 6 and then thewhile loop is aborted.Therefore, the number of iterations is at most

dlogR0e+ 1 ≤ 2 logR0.


AKS for λ1 ∈ [2, 3)

LemmaAKS* runs in time 2O(n) times some polynomial in the input size.

Proof.Let S = log(R0) be the input length.

The initialization step, before the while loop, already costs2O(n) poly(S). The final step, after the loop, is clearly cheaper thanthis (since we have removed several points from Y and X).

The procedure SIEVE runs in polynomial time in the number ofpoints it receives, that is, O(poly(28n logR)) = 2O(n) poly(S).

By the last lemma, SIEVE is executed at most 2S times, therefore,the cost of the loop is also 2O(n) poly(S).


AKS for λ1 ∈ [2, 3)

LemmaLet Z := {(xi,yi) : xi ∈ X ∧ yi := xi mod B}. At the end ofAKS*, the set Z has an exponential number of pairs and each pairgives us a lattice vector with norm bounded by 8.

RemarkSeveral pairs (xi,yi) and (xj ,yj) define the same lattice point...


AKS for λ1 ∈ [2, 3)

Proof.By the definition of yi, at the beginning of the algorithm, we haveyi ∈ P(B), thus, ‖yi‖2 ≤

∑‖bj‖2 ≤ R0. And at each iteration k,

yi is updated to yi − (yc − xc), therefore, its norm becomes

‖yi − (yc − xc)‖2 ≤ ‖yi − yc‖2 + ‖xc‖2 ≤ Rk/2 + 2.

Thus, at the end of the last iteration, we have ‖yi‖2 ≤ 6.Therefore, we have yi − xi ∈ L and

‖yi − xi‖2 ≤ 6 + 2 = 8.

Now notice that at the each iteration, at most 5n points areremoved from X and Y , therefore

|Z| ≥ N − 5n · 2 logR0 = (28n − 2 · 5n) logR0 ≥ 27n logR0.


AKS for λ1 ∈ [2, 3)

Lets breath a bit...

• We have proved that AKS* finds an exponentially large set ofpairs which define (possibly repeated) very short lattice points.

• Remember that we are supposing λ1 ∈ [2, 3) and all thoselattice points have norm smaller than 8. Therefore, they arealready a very good approximation to a shortest nonzero vector.

• Intuitively, it is very likely that a shortest nonzero vector isindeed among them.


AKS for λ1 ∈ [2, 3)

How can we prove that AKS* really finds a shortest nonzero vectorwith high probability?

Intuition:

• Notice that if we sample the points xi differently, but keepingthe same distribution, the algorithm’s output must be the same.

• For analysis purposes, sample xi such that many of them areequal to a fixed w and many have the form w± v, where v is ashortest nonzero vector.

• Then, at the end of the algorithm, with high probability, we willhave xi and xj whose difference equals ±v.


AKS for λ1 ∈ [2, 3)A lemma that we will need later...

LemmaLet L be a lattice such that λ1 ∈ [2, 3). Then there are at most 9n

lattice points inside B(0, 8).

Proof.Let m be the number of points in L ∩ B(0, 8).Because λ1 ≥ 2, we can consider m disjoint balls of radius 1centered in each lattice point inside B(0, 8).Then, the union of all these balls is contained in B(0, 9).Thus, we have m · vol(B(0, 1)) ≤ vol(B(0, 9)). Therefore,

m ≤ vol(B(0, 9))vol(B(0, 1))

= 9n.


AKS for λ1 ∈ [2, 3)

TheoremIf λ1 ∈ [2, 3), then AKS* returns a shortest nonzero vector withprobability exponentially close to 1, i.e., bigger than 1− 2−n.


AKS for λ1 ∈ [2, 3)

Sketch of the proof

Let v be a shortest nonzero vector, thus ‖v‖2 ∈ [2, 3).Define C1 := B(0, 2) ∩ B(−v, 2) and C2 := B(0, 2) ∩ B(v, 2).

−v (0,0) v

C1 C2

(a) Example for ‖v‖2 = 2.

−v (0,0) v

C1 C2

(b) Example for ‖v‖2 = 3.


AKS for λ1 ∈ [2, 3)

Sketch of the proof

Define the function τ : X → X that flips vectors from C1 to C2 andvice-versa:

τ(xi) =

xi + v, if xi ∈ C1

xi − v, if xi ∈ C2

xi, otherwise

Notice that τ is a bijection, therefore, X and τ(X) follow the samedistribution.Moreover, xi = xi ± v mod B, therefore

yi = xi mod B⇔ yi = τ(xi) mod B.

Therefore, AKS* has the same output given X or τ(X).


AKS for λ1 ∈ [2, 3)Sketch of the proof

Hence, apply τ to all xi.As proved earlier, we have more than 27n vectors xi at the end ofthe algorithm. For each of them, we have a lattice pointzi := yi − xi and zi ∈ B(0, 8). But there are at most 9n latticepoints inside B(0, 8).Therefore, there exists w ∈ L yielded by at least 27n/9n ≥ 23.8n

pairs of xi and yi.Then, with high probability*, for such w, at least one xi is inC1 ∪ C2 and at least one xj doesn’t belong to C1 ∪ C2.But then, xi is flipped by τ and xj isn’t, and therefore, AKS*returns

(yi − xi ± v)− (yj − xj) = w ± v −w = ±v.


Sketch of the proof

* It is not hard to see that for such w, at least one xi is in C1 ∪ C2

with probability bigger than 1− 2−n.Notice that B(v/2, 0.5) fits in C1 and also in C2. Hence,vol(C1) ≥ vol(B(v/2, 0.5)). Therefore,

vol(C1)

vol(B(0, 2))≥ vol(B(v/2, 0.5))

vol(B(0, 2))=

0.5n

2n= 2−2n.

Thus, we have ∀xi ← U (B(0, 2)) , P r[xi ∈ C1 ∪ C2] ≥ 2 · 2−2n.Then, considering the (more than) 23.8n vectors xi associated to wand using Chebyshev’s inequality, we have

Pr[∃i : xi ∈ C1 ∪ C2] ≥ 1− 22n

23.8n= 1− 1

21.8n≥ 1− 2−n.


AKS for λ1 ∈ [2, 3)

Sketch of the proof.

* Using a similar argument we can also see that for such w, at leastone xi is outside C1 ∪ C2 with probability bigger than 1− 2−n.


Removing the restriction λ1 ∈ [2, 3)

“Okay, nice. But our lattices don’t have such a small λ1!”- Impatient audience.



Using LLL, we can find an estimate e for λ1 such that

λ1 ≤ e ≤ 2nλ1.

Manipulating that inequality, we get:

1 ≤ e

λ1≤ 2n ⇔ 1

2n≤ λ1

e≤ 1⇔ e

2n≤ λ1 ≤ e.

Therefore, we know that the length of a shortest nonzero vector of Lis in the interval

[e

2n , e].



• Consider the lattice L′ := 2n+1

e L.

• Then 2 ≤ λ1 (L′) ≤ 2n+1.

• If v is a shortest nonzero vector of L′ , then e2n+1v is a shortest

nonzero vector of L.

• Therefore, it is sufficient to solve the SVP on L′.



How to solve SVP on L′ knowing that λ1(L′) ∈ [2, 2n+1]?

• Write

[2, 2n+1] ⊂ [2, 3) ∪ [2x, 3x) ∪ [2x2, 3x2) ∪ ... ∪ [2x`, 3x`).

• By choosing x = 3/2, we have 3xk = 2xk+1.

• We need an ` such that3x` > 2n+1 ⇔ 3(3/2)` > 2n+1 ⇔ 3`+1 > 2`+n+1, an it issufficient to take ` = 2n.

• Then, for some k ∈ {0, ..., `}, λ1(L′) ∈ [2xk, 3xk).

• Therefore, for such k, λ1(x−kL′) = x−kλ1(L′) ∈ [2, 3).


The AKS algorithm (for any λ1)

Algorithm 2: AKS

Input: A basis B of an n-dimensional lattice LOutput: A shortest nonzero vector of L(B)

1 Run LLL to get an estimate e for λ1

2 Define L′ := 2n+1

e L ; . Just multiply B by 2n+1

e3 for k = 0 until 2n do4 Define Lk := x−kL′5 vk = AKS*(Lk)

6 Let v be a shortest nonzero vector among all vk7 Let u = xkv be a shortest nonzero vector of L′8 Return e

2n+1u


References

M. Ajtai, R. Kumar, D. Sivakumar (2001)

A sieve algorithm for the shortest vector problem.

Procedings of the thirty-third annual ACM symposium on Theory ofComputing. Pages 601 - 610.

Oded Regev (2004)

2O(n)-time algorithm for SVP.

Lecture notes: Lattices in Computer Science. Tel Aviv University.

AKS Algorithm: Finding shortest nonzero vectors. · 2019. 6. 17. · 12th June, 2019 AKS Algorithm...

Documents

Transcript of AKS Algorithm: Finding shortest nonzero vectors. · 2019. 6. 17. · 12th June, 2019 AKS Algorithm...